Sign up for Office 365
Learn more about Office 365
Does Microsoft support the following configuration of ADFS for Single Sign On with Office 365:
Less than 50 Users
ADFS installed on a Domain Controller
No ADFS Proxy
I have found some documentation saying you can install ADFS on a DC as long as you have less than 50 users, however I have also found some saying that while you can, MS does not support it. I have found documentation stating you do not need to setup an ADFS Proxy, however again, I have also found docmentation stating that MS will not support it if there is an issue.
Can I get clarification that if I run ADFS on a Domain Controller with no ADFS Proxy and less than 50 users, I will not lose MS Support options?
Thanks for the feedback.
1 out of 1 people found this post helpful.
Hi, could you point me to any documentation that MS does not support ADFS on DC? A couple of points:
1. ADFS can be installed on a DC. In fact we recommend it for smaller organizations. You can refer to our SSO documentation for Office 365
2. Installing the proxy is HIGHLY RECOMMENDED since it provides a mechanism to filter traffic from the extranet and protect any security information in the firewall. However, it is a recommendation. If you choose to directly allow traffic to the ADFS server from the internet, I'd suggest that you ensure the following:
- Use your external firewall to implement rules allowing traffic to the ADFS server only on port 443
- Be aware that users from the extranet will see an NTLM prompt when talking to the ADFS server
- Non IE browsers do not support Extended Protection Authentication (you can search for this on the internet) and they will fail the NTLM authentication
I don't believe there are any support statement on this. However, there is reduced security when you do not use the AD FS 2.0 federation proxy server in conjunction with the AD FS 2.0 Federation server. I will confirm and get back to you on this thread if there is a support issue on this.
How many DC's do you have in your environment? Given that you are a very small organization, is there any reason why you would not move to managed domains and not do SSO via ADFS?
I want to check if your issue has been resolved.
If you need further assistance, please feel free to reply to me.
You can install ADFS 2.0 on 2008 R2 DCs with NLB. I have successfully done this in production, for a client with approx. 350 users. In this case, they are using an ADFS Proxy in their DMZ, which is ideal.
In another recent O365 project, I was able to successfully configure the client's TMG 2010 firewall to eliminate the need for an ADFS Proxy (the client had no DMZ, and no interest in creating one, just for this). So, if you've got TMG, you could put ADFS on your DCs, publish through your firewall, and have no ADFS Proxy server.
Have you manual or did use use any manual when you've been configuring AD FS without Proxy? May I ask you to share if you have one as Microsoft isn't much help as we all know :)
Proxy, even it give you more security most of small / mid businesses can't afford. Extra Proxy server setup is expensive, I'm not even speaking about work and time required to setup DMZ and redundancy proxy server. It would be nice to have top level, highly secure setup but ...